Data protection regulations, like the EU’s GDPR and its international emulators, have opened up a new frontier in compliance hiring for wealth managers. New research from WealthBriefing and RegTech firm Apiax examines their hiring and technology plans as the enormity of their obligations continues to grow.

This is the second in a two-part research special on this topic. To view Part 1, click here.

As business-leaders and, indeed, front-line staff will know, it is hard to escape the tentacle-like influence of data protection regulations today. The 2018 implementation of the EU’s General Data Protection Regulation ushered in a new age in which the treatment (or “processing,” to use the correct parlance) of personal information is regulated to what some may see as a stifling degree. And, with places including India, Brazil, Hong Kong and Dubai all implementing their own versions (and doubtless more to come), there is no escape for the highly internationalised wealth management industry. Cope firms must.

Just how they should do so is something of a vexed question, however; it is also one with which wealth firms have been grappling on any number of compliance fronts in recent decades. Can they simply “throw people at the problem,” with all the costs that that implies, or should they instead seek to yoke technology to the task so that hiring can be kept down?

According to new research by this publication and RegTech firm Apiax, this is a crucial point upon which wealth managers are really starting to diverge. Comparing firms’ approaches internationally, there are important regional differences to note too.

Headcounts rising

Having surveyed and interviewed Data Protection Officers (and their equivalents) at private banks, wealth managers and Tier 1 banking groups operating in Europe, this publication found that 44% had increased their data-protection-related headcount in the preceding 12 months. In what will be very welcome news to headhunters able to provide in this niche area, 47% are targeting further hires over the next year.  

Economically, highly uncertain times lie ahead as the ramifications of the coronavirus pandemic play out. And, abundant research suggesting increasing numbers of clients on the move will make for a precarious period for wealth managers which were not able to use these strangest of times as an opportunity to cement relationships. What they will (hopefully) be sure of, however, is that they cannot afford to scrimp when it comes to meeting their obligations in data protection. The immense fines, not to mention reputational damage, that non-compliance threatens is seeing this element of compliance being taken very seriously indeed: 4% of annual global turnover is a sum no firm can shrug off and privacy has never been more prominent in the public consciousness.

As Part 1 of this feature set out, wealth managers’ data-protection woes have been aggravated to a painful degree by July’s bombshell Schrems II ruling, which invalidated the use of the US Privacy Shield. As ever, the devil is in the detail and the “meat” of the EUCJ’s verdict essentially made European data exporters responsible for risk-assessing the data-protection regime of any territory they wish to send information to if it is not part of the European Economic Area and has not been rubber-stamped by the EU Commission as “adequate.”

Complex webs

This, and putting legally watertight safeguarding measures in place when undertaking data transfers, represents a huge task for wealth managers - particularly when one considers the complex web of supplier relationships they are likely to have in place, and the prevalence of cloud-based technologies today. Even modestly-sized boutiques reported 20 or more supplier relationships with data protection implications. Then there are all the flows of client, and employee, data necessary intra-group. Interpreting the impact of sprawling data protection rules and requirements, alongside their interplay with all others wealth managers are subject to, is an emphatically unenviable task.

And specialists in this area are asked to have incredibly broad shoulders, as the Data Protection Officer for the UK business of a European private banking group explained: “Data protection is often quite a small department, or even just one person - I usually only see teams of a maximum of three in the industry. We’ve got an awful lot of work to get through, so that’s one of the biggest challenges we face.”

Several interviewees from Tier 1 banks spoke of significant hiring plans as part of their firms’ ambitions to establish data protection “centres of excellence” to lead on best practice across the group. However, it may be inferred that the planned increases to headcount identified by our study will be relatively small in absolute terms for the most part – not least because data protection expertise is hard to come by, and correspondingly expensive. According to the IAPP, the median annual salary for privacy practitioners globally is around £92,000, not least because lawyers are often in the DPO hotseat (although this isn’t a requirement).

Adding value?

For that reason, firms of all sizes will be concerned with making sure their data protection personnel’s time is deployed in the most valuable way. Although essential, our interviewees made it clear that keeping their own knowledge up-to-date is a task without end.

“Horizon scanning and reading all the news and lawyers’ guidance could be a full-time job in itself,” said the DPO for the UK arm of a European private banking group. “I get inundated on a daily basis with updates and though they are very important, often you can only skim things.”

Correspondingly, there are concerted moves among more forward-thinking firms to implement centralised repositories for news and regulatory implications: a third of firms are now using digital resourcing in this area. Pragmatism is also shining through, since a quarter have opted for an external solution rather than add to their technology to-do lists.

Interesting differences in motivation are apparent between East and West, however. Although efficiency was the biggest reason for implementing a digital solution for both cohorts (respectively cited by 68% and 58%), something approaching one-fifth (17%) of data-protection specialists in the Asia-Pacific zone said that their firms' primary driver was an urgent need for innovation/digitisation. In Europe, not one said the same.

Of course, these findings ought to be interpreted in the light of the fact that technological innovations – particularly those related to AI and other big data “monitoring” techniques – invariably call for Data Protection Impact Assessments to be carried out. Thus, the more cutting-edge a firm becomes, the greater its data-protection workload grows. Yet looking even deeper, and in line with comments made during the course of this research, it becomes apparent that a small but growing band of wealth managers are seeking to wring business benefits from what others may see only as a compliance burden.  

There is ample evidence that clients are happier to give more – and higher-value – information when they are confident that it will be looked after and used according to their wishes, and where they have high levels of control through the use of privacy dashboards and the like. Ascending to that place of both immaculate compliance and client-centricity is the next frontier for wealth managers and so it is a great shame that many still seem trapped in the foothills of keeping on top of what their obligations actually are in the first place.

Data protection has the potential to be one of the most exciting, and actually revenue-generative, areas of wealth management compliance. It will be very interesting to see what those who have offloaded the heavy lifting of horizon scanning and rule making can do to make their privacy programmes pay dividends in the years ahead.  

The European data protection study that Apiax carried out with WealthBriefing follows a similar one undertaken among Asia-Pacific institutions earlier in the year. To view the full findings of both, click here.